I have been trying to harden a sendmail server, trying to ensure that user has to login using TLS connection to an smtp mail server. My certificates are self signed.
I can say (where foobar is the name of the server )
ELHO foo
250-foobar Hello public [xx.xx.xx.xx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
AUTH PLAIN AGRwNDJAc2VydmVyLmRwMjY0Mi5mb3JjZTkuY28udWsAdmFkZXI0Mg==^M
535 5.7.0 authentication failed
The auth string is generated by
perl -MMIME::Base64 -e 'print encode_base64("\000use\@foobar\000password")enter code here
I have used a copy and paste to ensure that the string is not mistyped.
The TLS handshake is working, the auth command is supported. The user code and password are correct. I am trying to find out why its not working.
My sendmail.mc
define(`confAUTH_OPTIONS',`A p')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/sendmail-cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/sendmail-key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/sendmail-cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/sendmail-key.pem')dnl
Any attempt connection is reported as
Jun 11 18:32:23 server sm-mta[30179]: STARTTLS=server, relay=public [84.92.92.26], version=TLSv1.2, verify=NOT, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Any suggestions on what is going wrong or how I get any extra output from sendmail ?
It seems I had failed set up sasl2 To find out what is going on shutdown the sendmail server by doing
service sendmail stop
The use the following command
/usr/sbin/sendmail -d95.99 -bD -X /tmp/test.log
This will dump out the entire sendmail conversation
In my case I used strace to find out which sendmail resources was accessing, it seemed to having a go at sasl, which was not installed.
It was a case of installing the sasl2-bin package, and editing /etc/default/saslauthd to start up when the system boots and alter the authentication method to shadow. That done, sendmail is happy to do what I want it to do.